@rseiler, you mentioned something before, that made me think twice:
rseiler wrote:It would have been very weird if it found an integrity problem after installing a new build, since that process does its own checking of this type, and the odds of there being that kind of problem afterwards is very low-to-impossible.
That assumes that the integrity check is happening with a known "signature" at the time of the installation, correct? You compare the signature of "ntdll.dll" with the signature that you have on the installer. A match? Proceed and update the system.
But, what if you "forget" at the last step to also update the system known signatures? Or you end up with a mix of signatures? I really don't know how the whole thing works, i.e. is it self signed per file, or it has a database of known files/signatures?
Just thinking out loud...
Update: Then the "sfc /verifyonly" would fail too, wouldn't it? You'd think...